To save my data i use locally and remotely besides ftp backups rsnapshot. Thus, the data of the server are backed up every 2 hours on the disc. For a conventional backup it´s not enough – is the disk or the server off, then the backups are gone. But changes to configs can be readily prepared for it again. And of course, accidentally deleted emails. Since rsnapshot uses hardlinks, the used space for backups over a few month only contains changed files.
The local installation of rsnapshot is not particularly complicated, and described in various places.
But I want that server A also secures the data from server B (if A is gone, I’m still able to get the data on).
In the example obelix secures itself and the remote-server asterix. The locae server (which runs rsnapshot) is called obelix, the otherone is asterix.
asterix:
useradd -d /home/rbackup rbackup
passwd rbackup [doesn´t matter]
mkdir /home/rbackup/.ssh
obelix:
as root (as long as root starts rsnapshot)
ssh-keygen (without passphrase)
scp /root/.ssh/id_dsa.pub root@asterix:/home/rbackup/.ssh/authorized_keys2
asterix:
chmod 600 /home/rbackup/.ssh/authorized_keys2
chown rbackup /home/rbackup/.ssh/authorized_keys2
chmod 700 /home/rbackup/.ssh/
chown rbackup /home/rbackup/.ssh/
At the beginning of authorized_keys2 add
from="88.198.67.99",command="/home/rbackup/validate-rsync.sh"
(88.198.67.99 is the ip from obelix; specifying the ip is only an additional protection that can also be omitted)
Create /home/rbackup/validate-rsync.sh on asterix:
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected 1"
;;
*\;*)
echo "Rejected 2"
;;
rsync*)
$SSH_ORIGINAL_COMMAND
;;
*true*)
echo $SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected 3"
;;
esac
Next we need on asterix /usr/local/bin/rsync_wrapper.sh:
#!/bin/sh
/usr/bin/sudo /usr/bin/rsync "$@";
Set the rigths:
chown rbackup /home/rbackup/validate-rsync.sh
chmod 754 /home/rbackup/validate-rsync.sh
chown rbackup /usr/local/bin/rsync_wrapper.sh
chmod 750 /usr/local/bin/rsync_wrapper.sh
and extend /etc/sudoers:
rbackup ALL = NOPASSWD: /usr/bin/rsync
Now we can test the setup from obelix:
obelix:~ # ssh rbackup@asterix
Rejected 3
Connection to asterix closed.
“Rejected 3” is ok, since the script was invoced with no parameters. The login only works with proper parameters and the defined source-ip.
The remote backup is created. In the end, only rsnapshost must be configured. I start rsnapshot using wrapper-script, so the remote backups are performed only when the server is reachable.
/root/scripts/backup:
#!/bin/bash
case $2 in
local)
;;
*)
ping -c 2 $2
;;
esac
if [ $? != 0 ] ; then
logger -d -t rsnapshot "$2 $1 failed - $2.de is unreachable"
exit
fi
logger -d -t rsnapshot "$2 $1 started"
/usr/local/bin/rsnapshot -c /usr/local/etc/rsnapshot.$2.conf $1
For rsnapshot itself i use for each (remote-)server two config-files. One contains the global config (same for all servers), the otherone defines the backups for each server (i.e. backup only www from foo and only mail from foo2).
/usr/local/etc/rsnapshot.conf
config_version 1.2
snapshot_root /srv/snapshots/
cmd_rm //bin/rm
cmd_rsync /usr/bin/rsync
cmd_ssh /usr/bin/ssh
cmd_logger //bin/logger
verbose 2
loglevel 2
rsync_long_args --delete --numeric-ids --relative --delete-excluded
du_args -csh
one_fs 0
link_dest 0
rsync_long_args --delete --numeric-ids --relative --delete-excluded
/usr/local/etc/rsnapshot.asterix.conf (this config ist used by the wrapper-Script and includes the global config):
include_conf /usr/local/etc/rsnapshot.conf
snapshot_root /srv/snapshots/asterix
interval hourly 12
interval daily 7
interval weekly 5
interval monthly 1
lockfile /var/run/rsnapshot-asterix.pid
rsync_long_args --rsync-path=rsync_wrapper.sh --delete --numeric-ids --relative --delete-excluded
backup rbackup@asterix:/bin asterix
backup rbackup@asterix:/usr asterix +rsync_long_args=--exclude=games --exclude=lib/local
For local backups i have also /usr/local/etc/rsnapshot.local.conf:
include_conf /usr/local/etc/rsnapshot.conf
interval hourly 12
interval daily 7
interval weekly 5
interval monthly 3
lockfile /var/run/rsnapshot-local.pid
exclude_file /usr/local/etc/rsnapshot.local.xcl
backup /bin localhost/
backup /boot localhost/
backup /etc localhost/
backup /home localhost/
backup /lib localhost/
backup /lib64 localhost/
backup /opt localhost/
backup /root localhost/
backup /sbin localhost/
backup /srv/ftp localhost/
backup /srv/www localhost/
backup /usr localhost/
backup /var localhost/
Start rsnapshot with
/root/scripts/backup/rsnapshot.sh hourly local
or
/root/scripts/backup/rsnapshot.sh daily asterix